-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[System.Text.Json] Expose a setting disallowing duplicate JSON properties #108521
Comments
Tagging subscribers to this area: @dotnet/area-system-text-json, @gregsdennis |
This is surprising to me since both Good change. 👍 |
|
I don't see a need for LastWriteWins & FirstWriteWins. How would anyone decide which to use as it really depends on the JSON payload being parsed. If the current behavior is LastWriteWins then I would just keep that and not offer FirstWriteWins at all. Also, perhaps LastPropertyWins (or BottommostPropertyWins) is a better name as I'd like to think about the JSON payload and not how the deserializer works internally. And I like your AllowDuplicateProperties proposal as this is simpler and then you can ignore the naming issue I mention above. However, usually you want the befault of something to be false and for back-compat, you might want **Disa**llowDuplicateProperties instead so that this defaults to current behavior. |
I came up with the distiction between LastWriteWins and FirstWriteWins for a few reasons:
|
If we were starting from scratch, we would never let dups be tolerated as the resulting behavior is unpredictable. No one has asked for LastWriteWins functionality and never should - it is a clear indication that something is wrong somewhere. So I, as a customer, would never know how to decide between FirstWriteWins & LastWriteWins. Picking one of these is tantamount to picking a random number seed - I'll get one value or the other but I can't predict which as the JSON payload producer can just flip the properties in the JSON payload before sending it to me to deserialize. |
(Confirmed that element does handle as last wins.) |
If we were starting from scratch, duplicate properties would be rejected by default. Aside from backward compatibility concerns however, there is still a case to be made about supporting reads from data sources that aren't perfect and are known to contain duplicates. In that context, a FirstWriteWins behaviour makes more sense from a performance perspective -- you deserialize the first occurrence and skip all other |
You could convince me that I have code that wants to see all values sharing a single property name and to accomplish this, I'd need to parse the json manually or maybe serialize each property to all array of values. But you will not convince me that randomly selecting a single value from a group and returning that allows me to write code whose behavior I have confidence in and is predictable. |
Background
JsonSerializer
today tolerates JSON payloads that contain duplicate properties, following a last-write-wins strategy when binding property values. Duplicate properties can be problematic from a security standpoint since they introduce ambiguity, which can be exploited in the context of JSON interoperability vulnerabilities. We should expose an option that prevents duplicate properties from being accepted.API Proposal
API Usage
Additional Notes
The option should extend to
JsonObject
but is not applicable toJsonDocument
which stores the full JSON payload. We might still be able to enforce lack of duplication which could be expressed as a boolean property onJsonDocumentOptions
:cc @GrabYourPitchforks @JeffreyRichter
The text was updated successfully, but these errors were encountered: